Re: PIX 515E, pre-shared key and dynamic maps

franzin · ‎03-22-2003

Dear Sir / Madam

We are operating a network with 120 sites. We have a PIX-515E acting as

a hub point and Contivity 100 in the remote offices.

At the branch office we use a dedicate IP line (128 K) and at the hub point

a 8 Mbps dedicate IP line, establishing tunnels through IPSEC using

pre-shared key. All is working well with good performance and low costs.

When we tried to establish a dial backup (Internet) conection from

Contivity 100, it work's fine at the branch office, reestablishing the

Internet traffic and others services, but at the central office the tunnel

can't be establish.

This is due to the static crypto map that needs a peer address to create

a SA. Using a dynamic crypto map this problem was solved and the

tunnel was established with dedicated IP or using dial backup access.

The problem is that I could only use a unique pre-shared key to all

offices and that's a great problem. So I would like to establish

a tunnel using a pre-shared key by hostname instead peer address.

I couldn't find any example or reference of doing this with PIX-515E

software version 6.2

I've seen some configurations using this aproach with IOS 12.2 but

in using PIX I will be in lack of references on how to use a different

pre-shared key and not using the peer address as control / identity.

How can I do it ?

Are there any other way to use different pre-shared keys with dynamic map?

Will it be available at version 6.3?

When do you configure "isakmp identity hostname" for use with IPSEC?

I'm posting a small piece of the configuration:

sysopt connection permit-ipsec

no sysopt route dnat

/*These lines refer to offices with dial backup */

crypto ipsec transform-set AGENCIAS esp-des esp-sha-hmac

crypto dynamic-map backup 20 match address 299

crypto dynamic-map backup 20 set transform-set AGENCIAS

crypto dynamic-map backup 30 match address 300

crypto dynamic-map backup 30 set transform-set AGENCIAS

/* These lines refer to static with no dial backup installed */

crypto map XXX_MAP 301 ipsec-isakmp

crypto map XXX_MAP 301 match address 301

crypto map XXX_MAP 301 set peer XXX.XXX.XXX.XXX

crypto map XXX_MAP 301 set transform-set AGENCIAS

crypto map XXX_MAP 303 ipsec-isakmp

crypto map XXX_MAP 303 match address 303

crypto map XXX_MAP 303 set peer YYY.YYY.YYY.YYY

crypto map XXX_MAP 303 set transform-set AGENCIAS

crypto map XXX_MAP 304 ipsec-isakmp

crypto map XXX_MAP 304 match address 304

crypto map XXX_MAP 304 set peer ZZZ.ZZZ.ZZZ.ZZZ

crypto map XXX_MAP 304 set transform-set AGENCIAS

crypto map XXX_MAP 308 ipsec-isakmp

crypto map XXX_MAP 500 ipsec-isakmp dynamic backup

crypto map XXX_MAP interface outside

isakmp enable outside

/* A diferent pre-shared key for each site */

isakmp key ******** address XXX.XXX.XXX.XXX

isakmp key ******** address YYY.YYY.YYY.YYY

isakmp key ******** address ZZZ.ZZZ.ZZZ.ZZZ

/* One pre-shared key to every site with dial backup */

isakmp key ******** address 0.0.0.0 netmask 0.0.0.0

isakmp identity address

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash sha

isakmp policy 20 group 1

isakmp policy 20 lifetime 28800

Thanks for any help

Franzin

a-alao · ‎03-27-2003

Hi,

Try using the vpngroup command on the PIX to differentiate between sites.

Configure the Group name and passwords (Preshared Keys) on the PIX.

Check to see if your contivity boxes can authenticate using a username(groupname) and passwords .... Hope this helps

franzin · ‎03-27-2003

Hi,

I'm using to mobile users with Cisco Cliente 6.2. It doesn't work with

Contivity!

Unfortunaltely, Contivity can validate a peer using either IP address or

the name of the tunnel (same as hostname for CISCO).

Thanks for your help.

Franzin